Wednesday, 21 December 2016

Data retention and national law: the ECJ ruling in Joined Cases C-203/15 and C-698/15 Tele2 and Watson (Grand Chamber)

Lorna Woods, Professor of Internet Law, University of Essex

Introduction

Today's judgment in these important cases concerns the
acceptability from a human rights perspective of national data retention
legislation maintained even after the striking down of the Data Retention
Directive in Digital
Rights Ireland (Case C-293/12 and 594/12) (“DRI”) for being a disproportionate
interference with the rights contained in Articles 7 and 8 EU Charter of
Fundamental Rights (EUCFR). While
situated in the context of the Privacy and Electronic Communications Directive
(Directive
2002/58), the judgment sets down principles regarding the interpretation of
Articles 7 and 8 EUCFR which will be applicable generally within the scope of
EU law. It also has possible implications for the UK’s post-Brexit relationship
with the EU.

Background and Facts

The Privacy and Electronic
Communications Directive requires the confidentiality of communications,
including the data about communications to be ensured through national law. As
an exception it permits, under Article 15, Member States to take measures for
certain public interest objectives such as the fight against terrorism and
crime, which include requiring public electronic communications service
providers to retain data about communications activity. Member States took very
different approaches, which led to the enactment of the Data Retention
Directive (Directive
2006/24) within the space for Member State action envisaged by Article
15. With that directive struck down,
Article 15 remained the governing provision for exceptions to communications
confidentiality within the field harmonised by the Privacy and Electronic
Communications Directive. This left
questions as to what action in respect of requiring the retention of data could
be permissible under Article 15, as understood in the light of the EUCFR.

The cases in today’s judgment
derive from two separate national regimes. The first, concerning Tele2, arose
when – following the DRI judgment –
Tele2 proposed to stop retaining the data specified under Swedish implementing
legislation in relation to the Data Retention Directive. The second arose from
a challenge to the Data
Retention and Investigatory Powers Act 2014 (DRIPA) which had been
enacted to provide a legal basis in the UK for data retention when the domestic
regime implementing the Data Retention Directive fell as a consequence of the
invalidity of that directive. Both sets
of questions referred essentially asked about the impact of the DRI reasoning
on national regimes, and whether Articles 7 and 8 EUCFR constrained the States’
regimes.

The Advocate General handed down
an opinion in July (noted here)
in which he opined that while mass retention of data may be possible, it would
only be so when adequate safeguards were in place. In both instances, the conditions – in
particular those identified in DRI –
were not satisfied.

Judgment

Scope of EU Law

A preliminary question is whether the data
retention, or the access of such data by police and security authorities, falls
within EU law. While the Privacy and
Electronic Communications Directive regulated the behaviour of communications
providers generally, Article 1(3) of that Directive specifies that matters
covered by Titles V and VI of the TEU at that time (e.g. public security,
defence, State security) fall outside the scope of the directive, which the
Court described as relating to “activities of the State” . Further Article
15(1) permits the State to take some measures resulting in the infringement of
the principle of confidentiality found in Art 5(1) which again “concern
activities characteristic of States or State authorities, and are unrelated to
fields in which individuals are active” [para 72]. While there seems to be overlap
between Article 1(3) and Article 15(1), this does not mean that matters
permitted on the basis of Article 15(1) fall outside the scope of the directive
as “otherwise that provision would be deprived of any purpose” [para 73].

In the course of submissions to
the Court, a distinction was made between the retention of data (by the
communications providers) and access to the data (by police and security
services). Accepting this distinction
would allow a line to be drawn between the two, with retention as an activity
of the commercial operator regulated by the Privacy and Electronic
Communications Directive within its scope and the access, as an activity of the
State lying outside it. The Court rejected this analysis and held that both
retention and access lay within the field of the Privacy and Electronic
Communications Directive [para 76]. It argued that Article 5(1) guarantees
confidentiality of communications from the activities of third parties whether
they be private actors or state authorities. Moreover, the effect of the
national legislation is to require the communications providers to give access
to the state authorities which in itself is an act of processing regulated by
the Privacy and Electronic Communications Directive [para 78]. The Court also
noted that the sole purpose of the retention is to be able to give such access.

Interpretation of Article 15(1)

The Court noted that the aim of
the Privacy and Electronic Communications Directive is to ensure a high level
of protection for data protection and privacy. Article 5(1) established the
principle of confidentiality and that “as a general rule, any person other than
the user is prohibited from storing, without the consent of the users concerned,
the traffic data”, subject only to technical necessity and the terms of Article
15(1) (citing Promusicae) [para 85].
This requirement of confidentiality is backed up by the obligations in
Article 6 and 9 specifically dealing with restrictions on the use of traffic
and location data. Moreover, Recital 30 points to the need for data
minimisation in this regard [para 87]. So, while Article 15(1) permits
exceptions, they must be interpreted strictly so that the exception does not
displace the rule; otherwise the rule would be “rendered largely meaningless”
[para 89].

As a result of this general
orientation, the Court held that Member States may only adopt measures for the
purposes listed in the first sentence of Article 15(1) and those measures must
comply with the requirements of the EUCFR.
The Court, citing DRI (at paras 25 and 70), noted that in addition to
Articles 7 and 8 EUCFR, Article 11 EUCFR – protecting freedom of expression –
was also in issue. The Court noted the need for such measures to be necessary
and proportionate and highlighted that Article 15 provided further detail in
the context of communications whilst Recital 11 to the Privacy and Electronic
Communications Directive requires measures to be “strictly proportionate” [para
95].

The Court then considered these
principles in the light of the reference in Tele2
at paras 97 et seq of its judgment. Approving expressly the approach of the
Advocate General on this point, it
underlined that communications “data, taken as a whole, is liable to
allow very precise conclusions to be drawn concerning the private lives of the
persons whose data has been retained” and that such data is no less sensitive
that content [para 99]. The interference in the view of the Court was serious
and far-reaching in relation to Articles 7, 8 and 11. While Article 15 identifies combatting crime
as a legitimate objective, the Court – citing DRI - limited this so that only
the fight against serious crime could be capable of justifying such
intrusion. Even the fight against
terrorism “cannot in itself justify that national legislation providing for the
general and indiscriminate retention of all traffic and location data should be
considered necessary” [para 103]. The
Court stressed that the regime provides for “no differentiation, limitation or
exception according to objectives pursued” [para 105]. The Court did confirm that some measures
would be permissible:

… Article
15(1) of Directive 2002/58, read in the light of Articles 7, 8 and 11 and
Article 52(1) of the Charter, does not prevent a Member State from adopting
legislation permitting, as a preventive measure, the targeted retention of
traffic and location data, for the purpose of fighting serious crime, provided
that the retention of data is limited, with respect to the categories of data
to be retained, the means of communication affected, the persons concerned and
the retention period adopted, to what is strictly necessary. [para 108]

It then set down some relevant
conditions:

Clear and
precise rules “governing the scope and application of such a data retention
measure and imposing minimum safeguards, so that the persons whose data has
been retained have sufficient guarantees of the effective protection of their
personal data against the risk of misuse” [para 109].

while
“conditions may vary according to the nature of the measures taken for the
purposes of prevention, investigation, detection and prosecution of serious
crime, the retention of data must continue nonetheless to meet objective
criteria, that establish a connection between the data to be retained and the
objective pursued” [110].

The Court then emphasised that
there should be objective evidence supporting the public whose data is to be
collected on the basis that it is likely to reveal a link, even an indirect
one, with serious criminal offences, and thereby contribute in one way or
another to fighting serious crime or to preventing a serious risk to public
security. The Court accepted that geographical factors could be one such
ground, on the basis that “that there exists, in one or more geographical
areas, a high risk of preparation for or commission of such offences” [para
111].

Conversely,

…Article 15(1)
of Directive 2002/58, read in the light of Articles 7, 8 and 11 and
Article 52(1) of the Charter, must be interpreted as precluding national
legislation which, for the purpose of fighting crime, provides for the general
and indiscriminate retention of all traffic and location data of all
subscribers and registered users relating to all means of electronic
communication [para 112].

Acceptability of legislation where (1) the measure is not limited to
serious crime; (2) where there is no prior review; and (3) where there is no
requirement that the data stays in the EU.

This next section deals with the
first question referred in the Watson
case, as well as the Tele 2
reference.

As regards the first point, the
answer following the Court’s approach at paragraphs 90 and 102 is clear: only
measures justified by reference to serious crime would be justifiable. As regards the second element, the Court
noted that it is for national law to law conditions of access so as to ensure
that the measure does not exceed what is strictly necessary. The conditions must be clear and legally
binding. The Court argued that since general access could not be considered
strictly necessary, national legislation must set out by reference to objective
criteria the circumstances in which access would be permissible. Referring to the European Court of Human Rights
(ECtHR) judgment in Zakharov,
the Court specified:

access can, as
a general rule, be granted, in relation to the objective of fighting crime,
only to the data of individuals suspected of planning, committing or having
committed a serious crime or of being implicated in one way or another in such
a crime [para 119].

It then distinguished the general
fight against crime from the fight against terrorism to suggest that in the
latter case:

access to the
data of other persons might also be granted where there is objective evidence
from which it can be deduced that that data might, in a specific case, make an
effective contribution to combating such activities [para 119].

The conditions set down must be
respected. The Court therefore held that, save in cases of genuine emergency,
prior review by an independent body must be carried out on the basis of a
reasoned request by the investigating bodies. In making this point, the Court
referred to the ECtHR judgment in Szabó
and Vissy v. Hungary, as well as its own previous ruling in DRI. Furthermore, once there was no
danger to the investigation by so doing, individuals affected should be
notified, so as to those affected people the possibility to exercise their
right to a remedy as specified in Article 15(2) read with Article 22 of the Data
Protection Directive (Directive 95/46).

Article 15(1) permits derogation
only in relation to specified provisions in the directive; it does not permit derogation
with regard to the security obligations contained in Article 4(1) and 4(1a).
the Court noted the quantity of data as well as its sensitivity to suggest that
a high level of security measures would be required on the part of the
electronic communications providers. Following this, the Court then stated:

…, the
national legislation must make provision for the data to be retained within the
European Union and for the irreversible destruction of the data at the end of
the data retention period (see, by analogy, in relation to Directive 2006/24,
the Digital Rights judgment, paragraphs 66 to 68) [para 122].

The Court noted that as a
separate obligation from the approval of access to data, that States should
ensure that independent review of compliance with the required regulatory
framework was carried out by an independent body. In the view of the Court,
this followed from Article 8(3) EUCFR. This is an essential element of
individuals’ ability to make claims in respect of infringements of their data protection
rights, as noted previously in DRI
and Schrems.

The Court then summarised the
outcome of this reasoning, that Article 15 and the EUCFR:

must be interpreted as precluding
national legislation governing the protection and security of traffic and location
data and, in particular, access of the competent national authorities to the
retained data, where the objective pursued by that access, in the context of
fighting crime, is not restricted solely to fighting serious crime, where
access is not subject to prior review by a court or an independent
administrative authority, and where there is no requirement that the data
concerned should be retained within the European Union. [para 125]

Relationship between the EUCFR, EU law and the ECHR

The English Court of Appeal had
referred a question about the impact of the ECHR on the scope of the EUCFR in
the light of Article 52 EUCFR. While the Court declared the question
inadmissible, it –like the Advocate General – took the time to point out that the
ECHR is not part of EU law, so the key issue is the scope of the EUCFR; and in
any event Article 52(3) does not preclude Union law from providing
protection that is more extensive than the ECHR. As a further point, the Court
added that Article 8 EUCFR, which provides a separate right to data protection,
does not have an exact equivalent in the ECHR and that there is therefore a
difference between the two regimes.

Comment

Given the trend of recent case
law, the outcome in this case is not surprising. There are some points that are worth
emphasising.

The first relates to the scope of
EU law, which is a threshold barrier to any claim based on the EUCFR. The Advocate General seemed prepared to
accept a distinction between the retention of data and the access thereto
(although conditions relating to the latter could bear on the proportionality
of the former). The Court took a
different approach and held that the access also fell within the scope of the
Directive/EU law, because the national regime imposed an obligation on the
communications service provider to provide access to the relevant authorities.
Given this was an obligation on the service provider, it fell within the
regulatory schema. This approach thus
avoids the slightly unconvincing reasoning which the Advocate General
adopted. It also possibly enlarges the
scope of EU law.

In general terms, the Court’s
reasoning looks at certain provisions of the Privacy and Electronic
Communications Directive. While the
reasoning is set in that context, it does not mean that the Court’s
interpretation of the requirements deriving from the EUCFR is limited only to
this set of surveillance measures. The
rules of interpretation of particularly Articles 7 and 8 could apply more
generally – perhaps to PNR data (another form of mass surveillance) - and
beyond. It is also worth noting that
according to a leaked
Commission document, it is proposed to extend the scope of the Privacy and
Electronic Communications Directive to other communications service providers
not currently regulated by the directive, but who may be subject to some data
retention requirements already.

Whilst the Court makes the point
that Articles 7 and 8 EUCFR are separate and different, and that data retention
implicates also Article 11 EUCFR, in its analysis of the impact of national
measures providing for retention it does not deal with Articles 7 and 8
separately (contrast DRI where a
limited consideration was given to this). Having flagged Article 11 EUCFR, it
takes that analysis no further. This is
the leaves questions as to the scope of the rights, and particularly how
Article 11 issues play out.

Note that the Court does not
state that data retention itself is impermissible; indeed, it specifies
circumstances when data retention would be acceptable. It challenges the
compatibility of mass data retention with Articles 7 and 8 EUCFR, however, even
in the context of the fight against terrorism.
In this, it is arguable that the Court has taken a tougher stance than
its Advocate General on this point of principle. In this we see a mirror of the approach in DRI, when the Court took a different
approach to its Advocate General. In
that case too, the Advocate General focussed on safeguards and the quality of
law, as has the Advocate General here. For the Court here, differentiation –
between people and between types of offences and threats – based on objective,
evidenced grounds is central to showing that national measures are
proportionate and no more than – in the terms of the directive – strictly
necessary. This seems to go close to disagreeing with the Opinion of the
Advocate General that in DRI, the
Court ‘did not, however, hold that that absence of differentiation meant that
such obligations, in themselves, went beyond what was strictly necessary’
(Opinion, para 199). The Advocate General used this point to argue that DRI did not suggest that mass
surveillance was per se unlawful (see Opinion, para 205). Certainly, in neither
case did the Court expressly hold that mass surveillance was per so unlawful,
so the question still remains. What is clear, however, is that the Court
supports the retention of data following justified suspicion – even perhaps
generalised suspicion – rather than using the analysis of retained data to
justify suspicion.

In its reasoning, the Court did
not –unlike the Advocate General – specifically make a ruling on whether or not
the safeguards set down in DRI, paras
60-68, should be seen as mandatory – in effect creating a 6 point check list.
Nonetheless, it repeatedly cited DRI
approvingly. Within this framework, it highlighted specific aspects – such as
the need for prior approval; the need for security and control over data; a
prohibition on transferring data outside the EU; the need for subjects to be
able to exercise their right to a remedy. Some of these points will be
difficult to reconcile with the current regime in the United Kingdom regarding
communications data.

It did not, however, touch on
acceptable periods for retention (even though it – like its Advocate General –
referred to Zakharov). More
generally, the Court’s analysis – by comparison with that of the Advocate
General – was less detailed and structured, particularly about the meaning of
necessity and proportionality. It did not directly address the points the
Advocate General made about lawfulness, with specific reference to reliance on
codes (an essential feature of the UK arrangements); it did in passing note
that the conditions for access to data should be binding within the domestic
legal system. Is this implicit agreement with the Advocate General on this
point? It certainly agreed with him that the seriousness of the interference
meant that data retention of communications data should be restricted to
‘serious crime’ and not just any crime.

One final issue relates to the
judicial relationship between Strasbourg and Luxembourg. Despite emphasising that the ECHR is not part
of EU law, the Court relies on two recent cases from the ECtHR, perhaps seeking
to emphasis the consistency in this area between the two courts – or perhaps
seeking to put pressure on Strasbourg to hold the line as it faces a number of
state surveillance cases on its own docket, many against the UK. The position
of Strasbourg is significant for the UK. While many assume that the UK will
maintain the GDPR after Brexit in the interests of ensuring equivalence, it
could be that the EUCFR will no longer be applicable in the UK post-Brexit. For
UK citizens, the ECHR then is the only route to challenge state intrusion into
privacy. For those in the EU, data transfers to the UK post-Brexit could
be challenged on the basis that the UK’s law is not sufficiently adequate
compared to EU standards. Today’s ruling – and the UK’s response to it, if any –
could be a significant element in arguing that issue.

3 comments:

I've had a look at the judgment and it's very difficult for me to grasp what justificatory principle(s) or arguments the court is using to support the 'no indiscriminate retention' rule. It seems to me its proportionality and access arguments could as easily have been applied by the Court itself so as to support blanket retention, with access through strictly controlled local judicial gatekeeping (including gatekeeping of automated data analysis/alerts systems setup). Is it all about 'chilling effect'? Could anyone please tell me which para of the judgment said this? Thanks!